berbew | c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c

Analysis

max time kernel
93s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
Size

67KB
MD5

5ced743b49be33fa4af4848f160a4605
SHA1

95ee0b0a9ba85615a813e02bf67cf84b4efa1271
SHA256

c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c
SHA512

5c54d736c1f1500538b4737cb31b11df99a67f8771096d9b4d6072f05db4d3e90e38fff7e92047e180adca047d5a7fb118946be2588a1e36f6e24858b0c43e36
SSDEEP

1536:vrN1l8NfOJ29RAP2b8xGSxphUHcRD9+BEZsJifTduD4oTxw:v6BzXYxGSLhCMxZsJibdMTxw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3484	Pqknig32.exe
1660	Pgefeajb.exe
3452	Pfhfan32.exe
3732	Pnonbk32.exe
2872	Pqmjog32.exe
3396	Pclgkb32.exe
2276	Pjeoglgc.exe
2196	Pqpgdfnp.exe
1036	Pcncpbmd.exe
3148	Pjhlml32.exe
2468	Pncgmkmj.exe
3064	Pcppfaka.exe
3668	Pnfdcjkg.exe
3216	Pmidog32.exe
2536	Pgnilpah.exe
4240	Qnhahj32.exe
3952	Qgqeappe.exe
1092	Qjoankoi.exe
3212	Qcgffqei.exe
2616	Ajanck32.exe
4856	Ampkof32.exe
2964	Adgbpc32.exe
4712	Ajckij32.exe
868	Ambgef32.exe
1544	Aclpap32.exe
4988	Ajfhnjhq.exe
2952	Aqppkd32.exe
1388	Ajhddjfn.exe
968	Andqdh32.exe
3636	Aeniabfd.exe
3568	Ajkaii32.exe
1248	Aepefb32.exe
2800	Bfabnjjp.exe
4260	Bagflcje.exe
3948	Bganhm32.exe
768	Bnkgeg32.exe
884	Beeoaapl.exe
5040	Bffkij32.exe
1936	Bnmcjg32.exe
1948	Beglgani.exe
1924	Bgehcmmm.exe
5084	Bnpppgdj.exe
4092	Bmbplc32.exe
3652	Bclhhnca.exe
1684	Bfkedibe.exe
5004	Bmemac32.exe
1956	Bcoenmao.exe
1860	Cfmajipb.exe
2332	Cmgjgcgo.exe
3184	Chmndlge.exe
2904	Cmiflbel.exe
2068	Cdcoim32.exe
2844	Cfbkeh32.exe
4596	Cmlcbbcj.exe
2976	Cdfkolkf.exe
432	Chagok32.exe
808	Cjpckf32.exe
5104	Cnkplejl.exe
2928	Ceehho32.exe
3944	Chcddk32.exe
4544	Cjbpaf32.exe
4724	Cmqmma32.exe
4976	Calhnpgn.exe
3580	Ddjejl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5496	5368	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3484	5076	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe	84
PID 5076 wrote to memory of 3484	5076	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe	84
PID 5076 wrote to memory of 3484	5076	c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe	84
PID 3484 wrote to memory of 1660	3484	Pqknig32.exe	85
PID 3484 wrote to memory of 1660	3484	Pqknig32.exe	85
PID 3484 wrote to memory of 1660	3484	Pqknig32.exe	85
PID 1660 wrote to memory of 3452	1660	Pgefeajb.exe	86
PID 1660 wrote to memory of 3452	1660	Pgefeajb.exe	86
PID 1660 wrote to memory of 3452	1660	Pgefeajb.exe	86
PID 3452 wrote to memory of 3732	3452	Pfhfan32.exe	87
PID 3452 wrote to memory of 3732	3452	Pfhfan32.exe	87
PID 3452 wrote to memory of 3732	3452	Pfhfan32.exe	87
PID 3732 wrote to memory of 2872	3732	Pnonbk32.exe	88
PID 3732 wrote to memory of 2872	3732	Pnonbk32.exe	88
PID 3732 wrote to memory of 2872	3732	Pnonbk32.exe	88
PID 2872 wrote to memory of 3396	2872	Pqmjog32.exe	89
PID 2872 wrote to memory of 3396	2872	Pqmjog32.exe	89
PID 2872 wrote to memory of 3396	2872	Pqmjog32.exe	89
PID 3396 wrote to memory of 2276	3396	Pclgkb32.exe	90
PID 3396 wrote to memory of 2276	3396	Pclgkb32.exe	90
PID 3396 wrote to memory of 2276	3396	Pclgkb32.exe	90
PID 2276 wrote to memory of 2196	2276	Pjeoglgc.exe	91
PID 2276 wrote to memory of 2196	2276	Pjeoglgc.exe	91
PID 2276 wrote to memory of 2196	2276	Pjeoglgc.exe	91
PID 2196 wrote to memory of 1036	2196	Pqpgdfnp.exe	92
PID 2196 wrote to memory of 1036	2196	Pqpgdfnp.exe	92
PID 2196 wrote to memory of 1036	2196	Pqpgdfnp.exe	92
PID 1036 wrote to memory of 3148	1036	Pcncpbmd.exe	93
PID 1036 wrote to memory of 3148	1036	Pcncpbmd.exe	93
PID 1036 wrote to memory of 3148	1036	Pcncpbmd.exe	93
PID 3148 wrote to memory of 2468	3148	Pjhlml32.exe	94
PID 3148 wrote to memory of 2468	3148	Pjhlml32.exe	94
PID 3148 wrote to memory of 2468	3148	Pjhlml32.exe	94
PID 2468 wrote to memory of 3064	2468	Pncgmkmj.exe	95
PID 2468 wrote to memory of 3064	2468	Pncgmkmj.exe	95
PID 2468 wrote to memory of 3064	2468	Pncgmkmj.exe	95
PID 3064 wrote to memory of 3668	3064	Pcppfaka.exe	96
PID 3064 wrote to memory of 3668	3064	Pcppfaka.exe	96
PID 3064 wrote to memory of 3668	3064	Pcppfaka.exe	96
PID 3668 wrote to memory of 3216	3668	Pnfdcjkg.exe	98
PID 3668 wrote to memory of 3216	3668	Pnfdcjkg.exe	98
PID 3668 wrote to memory of 3216	3668	Pnfdcjkg.exe	98
PID 3216 wrote to memory of 2536	3216	Pmidog32.exe	100
PID 3216 wrote to memory of 2536	3216	Pmidog32.exe	100
PID 3216 wrote to memory of 2536	3216	Pmidog32.exe	100
PID 2536 wrote to memory of 4240	2536	Pgnilpah.exe	101
PID 2536 wrote to memory of 4240	2536	Pgnilpah.exe	101
PID 2536 wrote to memory of 4240	2536	Pgnilpah.exe	101
PID 4240 wrote to memory of 3952	4240	Qnhahj32.exe	102
PID 4240 wrote to memory of 3952	4240	Qnhahj32.exe	102
PID 4240 wrote to memory of 3952	4240	Qnhahj32.exe	102
PID 3952 wrote to memory of 1092	3952	Qgqeappe.exe	104
PID 3952 wrote to memory of 1092	3952	Qgqeappe.exe	104
PID 3952 wrote to memory of 1092	3952	Qgqeappe.exe	104
PID 1092 wrote to memory of 3212	1092	Qjoankoi.exe	105
PID 1092 wrote to memory of 3212	1092	Qjoankoi.exe	105
PID 1092 wrote to memory of 3212	1092	Qjoankoi.exe	105
PID 3212 wrote to memory of 2616	3212	Qcgffqei.exe	106
PID 3212 wrote to memory of 2616	3212	Qcgffqei.exe	106
PID 3212 wrote to memory of 2616	3212	Qcgffqei.exe	106
PID 2616 wrote to memory of 4856	2616	Ajanck32.exe	107
PID 2616 wrote to memory of 4856	2616	Ajanck32.exe	107
PID 2616 wrote to memory of 4856	2616	Ajanck32.exe	107
PID 4856 wrote to memory of 2964	4856	Ampkof32.exe	109

C:\Users\Admin\AppData\Local\Temp\c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe
"C:\Users\Admin\AppData\Local\Temp\c26191695d5051a5e61cf4306af78c88faade94a8a94855acfea9e4ef925820c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Pqknig32.exe
  C:\Windows\system32\Pqknig32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\Pgefeajb.exe
    C:\Windows\system32\Pgefeajb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\Pfhfan32.exe
      C:\Windows\system32\Pfhfan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        30⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        70⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        82⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 396
        83⤵
        Program crash
        
        PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5368 -ip 5368
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
67KB

MD5
d5ad152031d43edf2dfd791fc5f18c6a

SHA1
5b64d1ef4bf1e56de322e7e9782e8ddc7d554cfb

SHA256
d096bc2ccfea1efeab1c94c4694edbc60ffda9afeab213946460a51426ecbe3f

SHA512
bf6aa7baf6bd524ad50189421ef284d93acdff7339c188a7b21d341325387d59c5d7637c1000df540c69f95b40ade86a7ca565e953a8affae39c8307b9cb77ca

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
67KB

MD5
9d4d9f3d407c6ecef243f60c9e1077c3

SHA1
66ec4b714151577f314c1202bf533d07ea199cc6

SHA256
401384a3e2f46f8337e465d6d874353e59d86703a90788a1c51f5cb9b8d71a2d

SHA512
8370a01521a4c5e2c154fc8f2bf0be8cf23e1aff8049a3b90e896abf2c3d42253fd34fd909029f16ecf01318bf763fe936a5da9c112f6f2f7d87d7887159bc79

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
67KB

MD5
1ef71368389e555b6c9cd0e30caad641

SHA1
0ff6bfd3d57a5222165056553943d23887d50446

SHA256
6d126d6f294f32cdf3d6b9ce18325833fbc84311bec7ec4df445b6a6a795e0a9

SHA512
42cfe53f63fe2de449e278ff7e5b3619405e3a05318ff4181424ec9f90da96ff143b500f32c1c857046b24d432e987522d33e45ac7cf33655d2e480e94123d8c

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
67KB

MD5
8f5444bdd4ba4088310ca43db1ef309b

SHA1
2aaaad46dadb70488d84cc62c37f91b5c83123e2

SHA256
f0a7a1ca1f75f6133d706c0ddeb0f1f7af7a7d9038b37e0c23d1c5d69e542b33

SHA512
cc69b280631973941bfec9502cb200958546147a8969af4a621108c565969da98172376155280ebab478b75d85a23777733c48a620fcff8677df1eb9db5e0a9a

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
67KB

MD5
ddd83ab30ab66d8a88e1bd252c0de05a

SHA1
16176a10618f789144f7399486f22af151d8bbda

SHA256
1c803651af25af9c04e30cd40e6be08a605257494139ebe26110870db3f4bb87

SHA512
70641ee97f1430f3b7ece4e61d0ff2dff412c7618233ee68c3a24eba705d45ce71517b9deae06bba2fb38125c0e1dd0d5f31410244478b6d3ad1c5ed66cacac3

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
67KB

MD5
8d61e492a1cf45608a98e44dac8a6aff

SHA1
e808caa339ff5220e351e751f0d18e91b8fbb1ab

SHA256
033a0e3eb1f5a97616aa93b22d6d68a27083ba30a85c9442ed60cc9a4722e2e9

SHA512
f2a5b50b44a0e1cda0664dc538b333ada0ea0282a80b1c47c40ee9295b13d49bc2904f04cdf411155081cf6230877694b7a3fc5f478b04221e6dd3f997ade635

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
67KB

MD5
3025175b0398b2bb8740926c901deec5

SHA1
601495d6828b2c4b7814d2ea88e0553c1d5dc62c

SHA256
0207a0ee31f60bc7b1ea6e1750b9539f1de889fa0386a4374f96229b7d5685f2

SHA512
62b0fc58bd669ac1380a3fd5dfce277536be8c6342394d4d275910cd3b4a82fd7d5194fe7a281913b13f71818c7be46cec4a638e353e64aeab06623357fcfcde

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
67KB

MD5
bd1eef1dfe54ec59b814e1fd3e43e39d

SHA1
aad9e52b8ea6e7b90f3f618a36a981d167535dda

SHA256
2f39896ff33ae745693a3b080a37ba98738f377c5a4598a3351f4195afd76ee2

SHA512
0e3153f9a69437cb4afe188b11ed4f29e2b84719ff2d748db49c3553484aa4e6be03a1ae6bb6450f19d36b5be5502164341a00fc1527f38a898ea248e4fee193

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
67KB

MD5
7afb5f4b920b9915ebe1c4a1492b5d5a

SHA1
840b265deb2a34905473254ba93aa5b89e04e3bb

SHA256
df5fe35270d5fbb5dd466315f5fed82c9cfff0cc3637c49b592c4fe40a04997b

SHA512
9c374bd1f68d9e27362feaeefffdde0a2f0f960cd31fa9b16c7e124c155c37f6b8f6007f44f1e3605f302e87d90491725e391f20427138975dc37dc7879a38e7

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
67KB

MD5
b06014324979e912d0242aaac6d09443

SHA1
b7abc6b42d0ec00e3771054ba8de6df866b0129f

SHA256
cb131635145336fed8daa1d3e49b2c3dda6ca4048aa4d16a8c4ad1a670394f9d

SHA512
8390549359b27553d2a1716ab44a9c6a1a85183c01f7cfbbc09351fd2a5e318bcb36745045b27a9dc50619da249b820c70093eecd29bf04a6b8ebf3ebbd4a7d2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
67KB

MD5
b4c3bb4ca0a019e13eb4e71c64b36734

SHA1
8f903c42dbd5f5757d3c2375f53aafcf236d70e2

SHA256
a49462989fc35102577220e48820792a7a7a1abc6144c11ea62293b932ff386a

SHA512
ad09cc8937ace318e666175cec977be3b46c3d31de01303e0cad0f1046d1c54c7e4e9dfa2fe029dc4b890fa47fbba0f1e43e2bde3e12b723978716aba740a0ce

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
67KB

MD5
d5cc4bd382774b1ed76ef4dcb5e1aff3

SHA1
77247cd3b82f4a993927dcca489347b1899d559e

SHA256
f49c31f52e55b2fbf70430d698b4fc0abe5dd2ca03c2fa407b2900bec2253b50

SHA512
d0eb7e087a79475ec988594a06628198ce431c717dcee9bb9c74d546439ae39f8ccb0feb5839141f109c243400c1cb6d2cd2c44792013173cfcdd3682228a21c

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
67KB

MD5
15f965ae106575ae5fa4c53dcf206ed9

SHA1
9225fe9f33efdc576c0ff6be5b34949cd697af89

SHA256
5bc3b0d7b4202824d49bd53c28be1de23be1d80a236b4598cf9d4c360d455540

SHA512
677bf45d3d9bb87b546ec6e0081a0aa140f5c36c696a99f2ad7df94703bb68913e4ff231b320aefef6218761e12345971a9193fdf9ed18a3a599d45b1f623fc0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
67KB

MD5
7e10d4a0c1219485356885a84eafa4b3

SHA1
15971db9672a46a0dafa013e137a9948b0b08231

SHA256
84903f05aa4eb94163172f09bebc5ebc5a134319033f9a884bc9ab1a8825c6df

SHA512
114c226d066bb036979dc98a454a7a29eff8469b8cbb3d7fb58df5acfa7a441dec6260878de8663e5f6d299afcda9249b7355573b26e346b8a243c6b77db7e37

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
67KB

MD5
64cabe27e972164f042c3795d433d95f

SHA1
617d42b924f7a9dcf72a690e9d903779a6627cfe

SHA256
7d9ef3b7eb8228498ec6102c7860f52db60035085f82a054ecfe5fff4916de0d

SHA512
32ab17eafb25ce6c162247e970034252f71616637909307b16c667b4aa2061cb706ee40d1c394ed839b312c53ba482af44ce4b511ac0bb9523a7f7c8e8cb7f18

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
67KB

MD5
e3765e6e812b916474a8fa39d5ccbf3f

SHA1
4f9b6bd7683fdddad51569b76806fd5915a67de9

SHA256
42c4fef140f2c2666a89c80fdea8f687e672925ce5d05240a4f625c309cfec7b

SHA512
2a336729193879bcc952fdea7614133b867ad99a332ee1c483ddc282c0abe38c15b97fed005ca986aebf427ead55dce3cc40604d3eba4ca5509e8b9ab5e4dbbd

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
67KB

MD5
d82d2a48c5a3e67919b73bd93944b02b

SHA1
1ec82b4dfc38d5d6dd999b66a386f79e7bffff3d

SHA256
f78cec8d65775227bad11f8c36a5c217c96151b8c1222987fa8360c693a885cd

SHA512
843c2f4327ce1475a2393a93a9f4b69280e2bdb04f8996db858638136f1f3b13fc1c3f2c22bac70868740d26fc5849e9b61f415b047117e3b9f989e3acf36603

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
67KB

MD5
1355a35274f94f8ebde1d2ddc686410d

SHA1
875e3957d5abb3a814f325234b64a86dd85b86f7

SHA256
cbb374e09dcd5cf0579ca04a9e92ac635e744d9216e918bf73fff00f9002acd8

SHA512
0132163dced19134353def1eb7c4a6d2659256d3fa52429c9ea2e2a784f77be7f07982dc4b7f785a4cfa7af26d82c5baf3e9f63eb2d57d8aa36323ffd5fddb0c

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
67KB

MD5
3e912d66c2c7df856e638db5eb153e85

SHA1
01be305589d35ac45180aa7c3b95701c938d98ea

SHA256
61442dad671b4d95eac1b22100b6024b0553af6af70a96056daec2f8047a7ba0

SHA512
dc3a7f9539af7ce145c154eb856eb8bccae3892d33cb765611c5d82c22db6c0bda6275e6f068f2b54870cb1283d59f21161fb0cae7ec4c3ef722a8a309b5612f

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
67KB

MD5
62c855186c026c703144ee8b04184d0e

SHA1
933c681f058c59a51efe29da5d1a7218526d3d26

SHA256
c7112dcbfb35a36ef2222d505f843186e77a46629dc31e6700793be9477e1083

SHA512
acb02d7604deec8bd31f000aee3603556547aa93af65d9922da02c6f011331e5df8bd25bf2a6d6935295b53d23a75b592b415ba56c56c2fb5c0b2f463e2a8f47

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
67KB

MD5
f2c6dbb0b6c3ed8753adcc0421fbb5c8

SHA1
f789bbbdd81eb7cedae2183fe9388c5010fb86e5

SHA256
b67b757f11190e622ae1865e34e3a5233f0470f185693f4e71635c0dd39b2430

SHA512
6d2e38e8a3d717b5a34783ebd03863afe286076dd29d7be132e9c0429d4ac0f952d94de169753c9a10f57ece7a5e74c7a2cc618cdcad6b171ef25202ee006577

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
67KB

MD5
9f9d37b03645161173826228808bf905

SHA1
7aa2c16b03c41d8770eb901077bbe9880d5d018e

SHA256
114e1c656aebab4036a8bb067599ef3626316b5f4aa9dc130e5f2356b915fec4

SHA512
edc8835f00bb80cb81de3b4ee4bf4758e3dd84c493508c1848310c4382dba7b6b66e84f5e7042a6ef2715f0922b85a5464fb11d9d308f96c05fc0746d627438e

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
67KB

MD5
97b28e4d3ad180574e74939d19312c1e

SHA1
4f820f7a28051229b286c767b8faaf828c571a52

SHA256
cfda2b054f7333e261b53a608e0240728bcfec9ec96a42e6a1bae31c64c33373

SHA512
b8dccc2600db82a8d4c2dbaa844ef5599466f944dcdc4f72bdabf39536a0a31df1e9f96b102579d383d2f59a5638720253ca54ee3da9af86e6ca68b0bf7e93fa

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
67KB

MD5
cecc2079468f1bbd22c02ef38750d0ff

SHA1
51b8cab5cb0b5849b3cc9ec08a479317720a52aa

SHA256
f6b60aefec84c524b10895a21c411f2e98637001399451cd1dcbfcac380f56fd

SHA512
7744d03f6ba3369f076c5639ede8da14dfb2dd8c814dee5563d1333a3ac98eb2946a1dfa600b559d9ddfe2101d42bb9452d2279acf004b40d70e126225b6503d

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
67KB

MD5
adfd07a3ad3569c4afe4f49f1400738c

SHA1
aed5737f3f645b219d26fd19af197c3d2d522c6a

SHA256
47a3f0ac1f64747c45de211c9a4f3c3642f0ae9d97b1d25d02be2a1209075718

SHA512
71e41e8335838e6562b64b2521795eaa42507653dfb0a0d8c8b70905c567c781c8e9c6fc72f073ab6e3ab0581fce0264f345c0292c3cf3fa12d891670cdef2ae

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
67KB

MD5
0b887066498cbc8f8abe52698be8086c

SHA1
feecfe1314d91f094af14a2dea43aa5a2926f3de

SHA256
8dbd473610269517a95f3e457c630aa67873e8f8275448d54e9f2ef204725f2c

SHA512
de5b6f43808143d1387742cbe21f11d8cb298cb3a76812532994dd04855274f43d2f7c97d82c1a58173f899335378f47591e08e61b6dd4c4bef06e2b63a08a9c

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
67KB

MD5
363161641d3756eeea27a69a0e27947c

SHA1
e81961f314afa64aa6b506fc2f2408d2b46ffdd0

SHA256
4decdbc0708f006d7e5d72cf26921bf0729a2afd3cca679a43e5fa0c6f27b6e1

SHA512
f590d8d4cd2cd2b7e4ddd16ce8b741bfd7b7e4b36c32dbc36f647c0d9c4baf242f18eb9722fec1b860192ced462446efea2bddc3205ac8552cb734b41079f89d

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
67KB

MD5
b6977582a0d6c1c85043ceaab234e4d3

SHA1
0c8910186c9f7ba352dc785381be0e7504c8042f

SHA256
91bc2e444237b8ee730b9856724a5cef4172f9d77dfdbf522477a8080574c8a9

SHA512
2b327547cdc55a294559652885b5317994d71e7158e510d1c15581580c2f9f137a08d28ecc0dfb5d680354d0b4a44ac20e8ab6accc716bd4da6b264b370215c3

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
67KB

MD5
4ee0f154ade7753badeed4c9568cc797

SHA1
4460972fc17efdd3925a86e147809510176d4e27

SHA256
bebabb9c22fc3b2aceba213ce1d210f4c87b28c519560c8bdeaf784e1573d8f0

SHA512
baf335d4ec3f6a4b44b39ec008e62f75e656e6f1698f10f96849e980d8840b5da08ee173215a061f97081f2c969679f2e8a968f3819e533370026d4edb4b6856

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
67KB

MD5
bbb3e1ba3746b7e75f4d21376e009b63

SHA1
c03b1b2172ca29c826e3f6f4d3c68c6c7d6c8a1a

SHA256
ca972f5f8362dcbf7e39c7ad9e86de88c8f9da388fa918c05ee2c25ad87c5cce

SHA512
3a96d397bf66d311873756317c3176fdea85cb3c60a9590932637b186d6db2a10ef346c2eb1a93784d4e931344cc5714f2078ba890abee34e49fd97b1aacc4fe

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
67KB

MD5
138ffcfbc5e719ee5cdef81fe2c2b2b5

SHA1
bf1e085fbfef345e388895e80ed3e38ddac165f9

SHA256
55ea34da0add51f4b96cc47726d125c7f290f12604c07d7c91a53afc245c22f7

SHA512
91e77035aebbb818a883058c0eea4469a7c9c54abcd01bb88ac735a5b4a0be712939de67b8c4fe44362435bdd368d19805b92de4fe1dd89a4d5b9966a17ad13a

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
67KB

MD5
0e1b750018bd69b64ed60e028dc5f871

SHA1
c48d8d716447825ac3576ec637f30c82059cfe64

SHA256
a12cac6116279ba8a27de401ed8deebc618660671af54eb49f3202dad90ab326

SHA512
24219d6036bc104345b726520665e42ebb6243cc8ccd21703bd9c767f3d3d9fba082d972369857ccd568b1b599233c051281b8e6906ae89610cfcf300481aa26

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
67KB

MD5
0eb81abf990a08727ac1294fb6ea8074

SHA1
f5881dc2fa8ba0c596deb55930c087697a9270ae

SHA256
b0dfa9f291cd84273149f5ca447aee8f70e5049c71430c408d022e98eb138050

SHA512
8e1434ea92d384c8a58a1e6d284ee5656881d17766ac9ce441d66f1b9a522d29af1401e10a3b452d0acd5f2f36e3f450bb8cb69fd121dce92319cfb150037b57

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
67KB

MD5
567bbfcda85726acd401e3b851b5af90

SHA1
79a0ee7d7144284fecd19e0615a6dee8c28877d2

SHA256
5b0361150fae2f3cc21e58c32633fe00ba1c1e6dc10a9c2b2fcd49e79ddfd84b

SHA512
96aba8dd092e2c66f044af0b09357379d8e747eb921d64d4e429c0dab39c17c9005b4d95344181d6d937ec07877c3adecc5e05c65c8ea6348772559fc24f53e2

Download Submit
memory/768-373-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/768-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/868-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/868-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/884-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/884-380-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-326-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1036-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1036-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1092-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1092-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-282-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1388-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1388-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1660-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1660-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1684-367-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-408-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1936-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1936-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1948-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1948-401-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1956-381-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2068-416-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2276-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2276-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2332-395-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2468-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2468-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2536-213-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2536-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2616-263-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2616-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2844-423-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2904-409-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2952-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2952-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2964-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2964-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3064-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3064-186-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3148-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3184-402-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3212-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3212-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-204-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3396-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3396-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3452-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3452-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3484-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3484-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3568-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3568-339-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3636-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-360-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3668-195-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3668-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3732-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3732-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-366-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3952-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3952-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4092-353-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4092-422-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4240-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4240-222-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4260-359-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4260-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4712-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4712-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4988-305-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4988-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5004-374-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5040-387-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5040-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5076-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5076-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5084-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5084-415-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads